Is it possible to check the revocation status of a x509 client certificate through the CRL in spring-security before authenticating it? I've checked documentations (http://static.springsource.org/spring-security/site/docs/3.0.x/reference/x509.html) but it doesn't mention anything about CRL.

Implementing UserService only gives you the username and not the X509Certificate. Any help would be appreciated!

Thanks!

I'm not sure about the specifics of Spring-Security, but if it's based on the trustmanagers of the JRE (if if it's the Oracle/Sun JRE), you can activate CRL checks by setting these system properties to true: com.sun.net.ssl.checkRevocation and com.sun.security.enableCRLDP, and setting Security.setProperty("ocsp.enable", "true") (thanks to @WillSargent for pointing out it's a Security property, not a system one).

More details here:

• http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CERTPATH
• http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC
• http://blogs.oracle.com/xuelei/entry/enable_ocsp_checking

The SSL handshake is performed by the servlet container, rather than Spring Security, so any CRL checking should probably occur at that point. Spring Security treats it as a "pre-authentication" scenrario.

Spring Security just reads the (already SSL-authenticated) certificate and allows you to link it to a local user account.